NULL pointer deref through `ydotool`.

[raichoo]

Hi,

I was able to trigger a NULL pointer deref issuing ydotool key [sic] as root. Here
is the output of the clang sanitizer.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2003==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x000800e1f854 bp 0x7fffffffe090 sp 0x7fffffffe090 T0)  into the appropriate mode modules allows for more optimizations (like properly

==2003==The signal is caused by a READ memory access.
==2003==Hint: address points to the zero page.
    #0 0x800e1f853 in udev_device_unref (/usr/local/lib/libudev.so.0+0x5853)
    #1 0x8008f5359  (/usr/local/lib/libinput.so.10+0x27359)
    #2 0x8008f2d05  (/usr/local/lib/libinput.so.10+0x24d05)
    #3 0x80091059c  (/usr/local/lib/libinput.so.10+0x4259c)
    #4 0x800910751  (/usr/local/lib/libinput.so.10+0x42751)
    #5 0x8008ed8dc in libinput_dispatch (/usr/local/lib/libinput.so.10+0x1f8dc)
    #6 0x800418952  (/usr/local/lib/libwlroots.so.5+0x5a952)
    #7 0x8008c661b in wl_event_loop_dispatch (/usr/local/lib/libwayland-server.so.0+0xe61b)
    #8 0x8008c395c in wl_display_run (/usr/local/lib/libwayland-server.so.0+0xb95c)
    #9 0x345e21 in hikari_server_start /usr/home/raichoo/hikari-2.0.0/src/server.c:913:3
    #10 0x33798f in main /usr/home/raichoo/hikari-2.0.0/main.c:101:3
    #11 0x258714 in _start /usr/src/lib/csu/amd64/crt1.c:76:7
    #12 0x8003a3007  (<unknown module>)

Package is libudev-devd-0.4.1

[zeising]

Can you provide a way to reproduce this?

[raichoo]

Basically just running ydotool key as root should be enough, I can do this in hikari and sway and it brings down the entire compositor. Sometimes I need more than one try but it's pretty reproducible here. The ASAN output is from hikari built with -fsanitize=address from clang.

[raichoo]

You really need to run ydotool key without specifying any key though. That's the trick.